[kernel] r13036 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Sun Mar 8 21:45:03 UTC 2009

Author: dannf
Date: Sun Mar  8 21:45:00 2009
New Revision: 13036

Log:
ext4: Add sanity checks for the superblock before mounting the filesystem
(CVE-2009-0748)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/ext4-add-sanity-checks-for-the-superblock-before-mounting.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/13lenny2

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================

--- dists/lenny-security/linux-2.6/debian/changelog	(original)
+++ dists/lenny-security/linux-2.6/debian/changelog	Sun Mar  8 21:45:00 2009
@@ -6,8 +6,10 @@
     (CVE-2009-0745)
   * ext4: Add sanity check to make_indexed_dir (CVE-2009-0746)
   * ext4: only use i_size_high for regular files (CVE-2009-0747)
+  * ext4: Add sanity checks for the superblock before mounting the filesystem
+    (CVE-2009-0748)
 
- -- dann frazier <dannf at debian.org>  Sun, 08 Mar 2009 14:51:51 -0600
+ -- dann frazier <dannf at debian.org>  Sun, 08 Mar 2009 15:01:45 -0600
 
 linux-2.6 (2.6.26-13lenny1) stable-security; urgency=high
 

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/ext4-add-sanity-checks-for-the-superblock-before-mounting.patch
==============================================================================
--- (empty file)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/ext4-add-sanity-checks-for-the-superblock-before-mounting.patch	Sun Mar  8 21:45:00 2009
@@ -0,0 +1,74 @@
+commit 4ec110281379826c5cf6ed14735e47027c3c5765
+Author: Theodore Ts'o <tytso at mit.edu>
+Date:   Tue Jan 6 14:53:26 2009 -0500
+
+    ext4: Add sanity checks for the superblock before mounting the filesystem
+    
+    This avoids insane superblock configurations that could lead to kernel
+    oops due to null pointer derefences.
+    
+    http://bugzilla.kernel.org/show_bug.cgi?id=12371
+    
+    Thanks to David Maciejak at Fortinet's FortiGuard Global Security
+    Research Team who discovered this bug independently (but at
+    approximately the same time) as Thiemo Nagel, who submitted the patch.
+    
+    Signed-off-by: Thiemo Nagel <thiemo.nagel at ph.tum.de>
+    Signed-off-by: "Theodore Ts'o" <tytso at mit.edu>
+    Cc: stable at kernel.org
+
+Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/fs/ext4/super.c linux-source-2.6.26/fs/ext4/super.c
+--- linux-source-2.6.26.orig/fs/ext4/super.c	2009-02-07 16:43:11.000000000 -0700
++++ linux-source-2.6.26/fs/ext4/super.c	2009-03-08 14:57:15.000000000 -0600
+@@ -1827,8 +1827,8 @@ static int ext4_fill_super (struct super
+ 	struct inode *root;
+ 	int ret = -EINVAL;
+ 	int blocksize;
+-	int db_count;
+-	int i;
++	unsigned int db_count;
++	unsigned int i;
+ 	int needs_recovery;
+ 	__le32 features;
+ 	__u64 blocks_count;
+@@ -2113,20 +2113,30 @@ static int ext4_fill_super (struct super
+ 	if (EXT4_BLOCKS_PER_GROUP(sb) == 0)
+ 		goto cantfind_ext4;
+ 
+-	/* ensure blocks_count calculation below doesn't sign-extend */
+-	if (ext4_blocks_count(es) + EXT4_BLOCKS_PER_GROUP(sb) <
+-	    le32_to_cpu(es->s_first_data_block) + 1) {
+-		printk(KERN_WARNING "EXT4-fs: bad geometry: block count %llu, "
+-		       "first data block %u, blocks per group %lu\n",
+-			ext4_blocks_count(es),
+-			le32_to_cpu(es->s_first_data_block),
+-			EXT4_BLOCKS_PER_GROUP(sb));
++        /*
++         * It makes no sense for the first data block to be beyond the end
++         * of the filesystem.
++         */
++        if (le32_to_cpu(es->s_first_data_block) >= ext4_blocks_count(es)) {
++                printk(KERN_WARNING "EXT4-fs: bad geometry: first data"
++		       "block %u is beyond end of filesystem (%llu)\n",
++		       le32_to_cpu(es->s_first_data_block),
++		       ext4_blocks_count(es));
+ 		goto failed_mount;
+ 	}
+ 	blocks_count = (ext4_blocks_count(es) -
+ 			le32_to_cpu(es->s_first_data_block) +
+ 			EXT4_BLOCKS_PER_GROUP(sb) - 1);
+ 	do_div(blocks_count, EXT4_BLOCKS_PER_GROUP(sb));
++	if (blocks_count > ((uint64_t)1<<32) - EXT4_DESC_PER_BLOCK(sb)) {
++		printk(KERN_WARNING "EXT4-fs: groups count too large: %u "
++		       "(block count %llu, first data block %u, "
++		       "blocks per group %lu)\n", sbi->s_groups_count,
++		       ext4_blocks_count(es),
++		       le32_to_cpu(es->s_first_data_block),
++		       EXT4_BLOCKS_PER_GROUP(sb));
++		goto failed_mount;
++	}
+ 	sbi->s_groups_count = blocks_count;
+ 	db_count = (sbi->s_groups_count + EXT4_DESC_PER_BLOCK(sb) - 1) /
+ 		   EXT4_DESC_PER_BLOCK(sb);

Modified: dists/lenny-security/linux-2.6/debian/patches/series/13lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/13lenny2	(original)
+++ dists/lenny-security/linux-2.6/debian/patches/series/13lenny2	Sun Mar  8 21:45:00 2009
@@ -6,3 +6,4 @@
 + bugfix/all/ext4-initialize-the-new-group-descriptor-when-resizing-the-filesystem.patch
 + bugfix/all/ext4-add-sanity-check-to-make_indexed_dir.patch
 + bugfix/all/ext4-only-use-i_size_high-for-regular-files.patch
++ bugfix/all/ext4-add-sanity-checks-for-the-superblock-before-mounting.patch

